Hackers build a ‘Master Key’ that unlocks millions of hotel rooms

A critical design vulnerability in a popular and widely used electronic lock system can be exploited to unlock every locked room in a facility, leaving millions of hotel rooms around the world vulnerable to hackers.

The vulnerability has been discovered in Vision by VingCard locking system—made by the world’s largest lock manufacturer, Assa Abloy, and deployed in more than 42,000 facilities in 166 different countries, which equals to millions of doors.

How Hackers Built a ‘Master Key’

To obtain the electronic key (RFID or magstripe), an attacker could read the data remotely by standing close to a hotel guest or employee having a keycard in his pocket, or simply could book a room and then use that card as the source.

The attacker would then need to buy a portable programmer for a few hundred dollars online to overwrite it, and therefore creating a master key within minutes.

The custom-tailored device (actually an RFID reader/writer) is then held close to the target lock, which tries different keys in less than one minute and locates the master key and unlocks the door.

Now, you can either use this custom-tailored device as the master key to open any door in the facility or write the master key back to your keycard. Once done, you can now access any room in the hotel using the master key.

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” said Tuominen in a blog post published Wednesday. “We don’t know of anyone else performing this particular attack in the wild right now.”

“I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues,” Tuominen said. “Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible.”

About a year ago, we saw how hackers forced a luxurious hotel in Austria to pay ransom in Bitcoin, after ransomware hit the hotel’s IT system, locking hundreds of guests out of their rooms.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.